February 0-day for Adobe Flash – Update 2

Update2: The patch rollout for CVE-2015-0313 has begun. First Adobe Flash autoupdaters, then later the downloadable package plus Chrome and IE.

Update: More evidence on the 0-day (CVE-2015-0313) in the latest Adobe Flash. Trend now believes that it is the Hanjuan Exploit Kit, not Angler that is actively using the 0-day. In addition their testing has shown that the exploit is unable to escape the Google Chrome Sandbox, so Flash running under Google Chrome is still safe. This is actually good news and similar to the last 0-day CVE-2015-0311. Cisco’s Talos group meanwhile reports on further variants of CVE-2015-0311 and their telemetry gives an idea of the spread of the attack that uses an ad network.

Original: After Adobe fixed two 0-days (APSB15-02 and APSB15-03) in January, February starts off with its own 0-day. Trend Micro reports and Adobe acknowledges the new 0-day CVE-2015-0313, which comes to us courtesy of the Angler Exploit Kit again. Not much is known at this time with the exception that Trend’s security tools are preventing the exploit from executing. No word so far on other tools such as the free EMET.

Maybe this is just the Angler tech team living up to their maintenance contracts to always have a 0-day around?